This week we will focus on several high profile vulnerabilities in the variety of blockchain projects. FairWin ponzy scheme wins the prize for not only allowing contract owners to steal all the funds, but also failing to protect the contract itself from a front-running attack. Zcash allowed linking of shielded addresses to the IPs of full nodes originating them. A new clipboard stealing malware family targets all major cryptocurrency assets. On the lighter node, Arpox made an awesome write up for the Capture the Coin competition which he absolutely dominated this year!
Vulnerabilities
[Vulnerability Disclosure] [FairWin] Front-running in the currently most used Ethereum contract - details of the vulnerability in a popular scam on the Ethereum network. The front-running attack allows anyone to steal investments while the code itself allows contract owners to empty all of the stored funds.
Zcash Metadata Leakage CVE-2019-16930 - a bug in Zcash shielded transactions may allow the discovery of full nodes owning the shielded address. This can have a severe privacy effect where it may be possible to discover the IP address of the sender. Patches are already available on Zcash node software.
Vyper: Here be Snakes! - an interesting function hash collision in the Vyper language which can override the default fallback function. It may be used to include unwanted functionality into the contract.
Staying Safe from the Recent Lightning Vulnerability - additional details for a critical vulnerability in many lightning network nodes which accepted invalid payment channels. The post also provides tools to detect if your lightning node was affected and steps to mitigate the attacks.
Malware
Masad Stealer: Exfiltrating using Telegram - a Juniper Threat Labs report on a new Windows-only malware family capable of stealing user credentials and replacing cryptocurrency wallet destination addresses to the ones controlled by attackers. It performs the latter task by matching and replacing common cryptocurrency addresses patterns. The malware is unique in its use of Telegram for C2 communications.
Indicators:
Bitcoin: 1AtwyYF2TGR969cyRDrR2XFDqSPzwCXKfe
Monero: 42Mm9gjuUSmPNr7aF1ZbQC6dcTeSi1MgB1Tv41frv1ZRFWLn4wNoLH3LDAGn9Fg2dhJW2VRHTz8Fo9ZAit951D2pDY8ggCR
https://masadsasad[.]moy.su/base.txt
https://zuuse[.]000webhostapp.com/mi.exe
http://37[.]230.210.84/still/Build.exe
http://37[.]230.210.84/still/SoranoMiner.exe
http://187[.]ip-54-36-162.eu/steal.exe
http://bgtyu73[.]ru/22/Build.exeWannaCryFake Decryptor - a decryption tool for WannaCryFake ransomware. WannaCryFake encrypts files using AES-256 algorithm and demands ransom in Bitcoins.
Events
Capture the Coin CTF write-up by Arpox - an awesome write up for all of the challenges by the first place winner - Arpox. I highly recommend you go through his article, if you are interested in learning how to tackle a wide range of blockchain security topics.
That’s all in blockchain threat intelligence this week. Stay safe and patch early!